Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that it misled users about some of its security features.
The FTC said that earlier this year, during the height of the COVID-19[1] pandemic, Zoom had attracted users to its platform with misleading claims that its product supported "end-to-end, 256-bit encryption" and that its service would store recorded calls in an encrypted format.
However, in a complaint [PDF[2]] filed earlier this year, the FTC's investigators found that Zoom's claims were deceptive.
First, the FTC found that despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn't support E2EE calls in the classic meaning of the word.
E2EE calls rely on establishing a call between two users and saving the cryptographic key used for encrypting the call on those two users' devices.
But the FTC says that Zoom also kept a copy of the key for itself, as well, allowing it to intercept communications for all its customers.
Second, the FTC also found that some Zoom also didn't encrypt recorded calls, as it claimed. Instead, recorded calls were kept unencrypted on Zoom's servers for up to 60 days before being encrypted and transferred to a secure server, during which time Zoom and other parties could access their content.
"Zoom's misleading claims gave users a false sense of security, [...] especially for those who used the company's platform to discuss sensitive topics such as health and financial information," the FTC said in a press release[3] today.
"In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom's videoconferencing services," the agency added.
In addition, the FTC said it also found that Zoom had also made